WannaCry Ransomware Update: Windows 7 Hit Hardest

More than a week after the massive WannaCry ransomware attack hobbled computer systems around the world, security experts continue to assess the damage and keep watch for new outbreaks.

As of Friday, May 19, the malware had infected more than 416,000 systems, according to the U.K.-based security researcher who helped put a stop to the initial attack. Meanwhile, organizations that included FedEx and Britain’s National Health Service (NHS) continue to deal with fallout from the ransomware while researchers try to identify the attackers responsible.

Authorities have urged anyone affected by WannaCry not to pay the ransom requested, typically several hundred dollars in the digital currency Bitcoin, to regain access to files encrypted by the malware. Some victims, most of whom were running Windows 7 x64, according to research from Kaspersky Lab, could be helped by a partial decryption fix that’s been shown to recover data.

Hundreds of Thousands of Victims

The WannaCry ransomware began spreading around May 12 and the U.K.’s NHS was one of the first high-profile victims to come under attack. That’s when a young British security researcher who goes by the name MalwareTech noticed that the ransomware was querying an unregistered domain name, which he quickly registered. By doing that, he effectively set off a kill switch that put a stop to new attacks of the ransomware.

MalwareTech has since been identified by media outlets as Marcus Hutchins, 22. He noted in an update on his blog, May 19, that HTTP requests to the domain he registered showed some 416,989 systems had been hit by WannaCry as of that time.

Since the initial attack has come under control, Microsoft has been criticized for its role in the malware’s propagation. The WannaCry ransomware (which is also called WannaCrypt by Microsoft and others) deploys a Windows exploit that had not been addressed and was used for surveillance by the National Security Agency (NSA). That exploit was revealed when the Shadow Brokers hacking group released a trove of data stolen from the NSA in April.

By then, Microsoft had already issued a security update for the exploit, but that fix was not offered to many users running older versions of Windows that no longer received Microsoft support. After the WannaCry attack, Microsoft took the unusual step of making a patch more widely available to both supported and unsupported Windows users.

Assigning Responsibility

Writing Saturday in the U.K.’s Guardian newspaper, technology author and researcher Evgeny Morozov took Microsoft to task for its “disingenuous” stance on online safety and its calls for a “digital Geneva convention” to protect against cyberattacks.

“The conflict of interest here would be mind-boggling: the more insecure Microsoft’s software, the greater the demand for its cybersecurity services to protect it,” Morozov wrote. “Worse, governments — instead of doing something to curb such conflicts of interest — are only aggravating them. They allow tech companies to use their intelligence services as scapegoats while also creating a secondary market in cyberweapons that can then be used by petty criminals to instil terror and dread in the population. No wonder there are people demanding that some version of the digital Geneva conventions pass: the horrors, imposed by the tag team of government and industry, are just too painful to endure.”

U.K.-based security researcher Graham Cluley expressed similar concerns on his blog today. Cluley said it was understandable that people wanted someone to blame after a malware outbreak as significant as WannaCry.

“Is it the fault [of] the NSA for discovering a security vulnerability in Microsoft’s code, and not telling Microsoft at the time? Can we blame Microsoft for shipping buggy code in the first place?” he asked. “Are the mysterious Shadow Brokers hacking group responsible for WannaCry, because they stole details of the exploit the NSA built to take advantage of the Microsoft flaw? Should we point fingers at the organisations who failed to patch their systems in advance of the attack?”

Cluley noted that some investigators, citing similarities to previous cyberattacks, believe the North Korea-linked hacking group Lazarus might be responsible for the WannaCry attack. However, he added that North Korea’s deputy ambassador to the United Nations called such allegations “ridiculous.” Ultimately, though, it’s possible the perpetrators might never been identified, Cluley said.

In its latest update about the ransomware attack, Europol’s European Cybercrime Center said it had tested a “partial solution developed by Benjamin Delpy, Matt Suiche and Adrien Guinet” and found that it was able to recover encrypted data on some victims’ systems. Further details about how to deploy that fix are available on Comae Technologies’ Web site.
[“Source-ndtv”]